The investigation was launched following a complaint submitted by a private individual who reported that the operator had processed their personal data without consent. According to ANSPDCP, Romoffice Construct Holding Ag SRL used the complainant’s phone number, initially provided through an online form for registering in a public funding program.
During the inquiry, the authority found that the operator failed to provide evidence demonstrating a legal basis for processing the data or for using it to contact the individual with information about a promotional campaign.
ANSPDCP concluded that the operator violated Article 5(1)(a) and (2), in relation to Article 6(1) of Regulation (EU) 2016/679, which establish the principles of lawfulness, fairness, and transparency in personal data processing.
The case highlights the ongoing need for organizations to ensure a valid legal basis for processing personal data and to maintain full compliance with GDPR requirements.